[Apparmor-dev] 2.6.29 update

John Johansen jrjohansen at verizon.net
Wed May 20 04:15:38 MDT 2009 

Mario Fetka wrote:
> On Monday, 27. April 2009 00:25:04 John Johansen wrote:
>> John Johansen wrote:
>>> Just an update,
>>>
>>> I found myself with a less than functional computer for the last while
>>> and I haven't finished the update yet.  I have time tonight and over the
>>> next few days so it should finally go up soon.
>>>
>>> sorry for the inconvenience and delay
>> Just an update, I am sorry to say I was too optimistic, and I don't have
>> it working yet.  I know the delay has been unacceptably long, but I am
>> working on it, and it will happen.  I have set aside time each day and
>> over the next couples AppArmor should see more development than it has
>> for a long time.
>>
>> It has turned into much more of a rewrite than I had expected, with much
>> of the domain transitions and locking changing.  As well as some other
>> structural changes.
>>
>> I have abandoned the vfs based patchset for 2.6.29 (sorry I wasted time
>> on this, the update would have probably be out by now if I hadn't) and
>> the patchset will be entirely based on the security_path based hooks.
>>
>> The 2.6.29 version of AppArmor will at least temporarily be dropping
>> some features.  I have mentioned this before but the set has changed
>> some.  Replacement is back, but setprofile will still be missing as
>> well as some other features that don't fit into the security_path
>> framework.
>>
>> The patchset is going to happen in two distinct sets.  The first is a
>> slightly stripped version of AppArmor that will work on 2.6.29 without
>> any patching to the kernel beyond adding the AppArmor module.  This
>> won't provide full mediation of some kernel objects and setting of
>> attrs, etc.  This is the version that will go up in the next couple of
>> days.
>>
>> After this goes up, I am going to move 2.3 AppArmor onto a new branch,
>> and trunk will become the development version.  The module will see more
>> cleanups and changes.  This time focusing on cleaning up the interface
>> and how permissions are handled.  This is the version I plan to post to
>> lkml, to begin upstreaming efforts again.
>>
>> A following set of patches will add missing mediation back in as can be
>> achieved with a focus on upstreaming.  So basically features dependent
>> on new hooks/changes to hooks, won't be added to AppArmor until they
>> pass upstreaming.
>>
>> john
>>
> 
> Hallo John,
> 
> whats the state of the update?
> 
Yes, Sorry I meant to get an update out a while ago, but being busy its
one of those things that slipped through the cracks.

As always, its just taking longer than I anticipated, but I have been
working on it steadily a couple hours a day, and I should have a testing
version up some time in the next few days.   With the way things have
gone I'll say its will likely be the weekend but I am hoping for sooner.

The testing version will have some bugs to be ironed out and won't have
all the changes/cleanups.  But it will be enough to finally get AppArmor
up on 2.6.29/2.6.30.  It will be as compatible as possible (there are
just some things that had to be dropped) with the current 2.3 user space.

Once this is up, I am going to branch trunk, making a 2.3.2 branch, with
necessary bug fixes going against it.

Trunk will stay as the development branch and get all the bug fixes that
2.3.2 gets as well as some other changes meant to cleanup parts of the
code in preparation for upstream submission.  The goal being to submit
within the next couple of weeks.  Exactly when will will just depend on
how fast I can get some of the changes done and what bugs pop up while I
am doing it.

The upstream version will break compatibility with 2.3 but this is with
an eye to fixing a few things for long term development.  The main break
is going to be the interface which needs to be cleaned up some, and
needs to break the tie between the dfa and the permissions set.
This will allow for the dfa to be used in more flexible ways, and also
lead to a smaller memory footprint for policy.

Once this is all done, development will start again on AppArmor 3, and
there will be more updates and mailing list trafic.  Unfortunately I
haven't been the best at communicating what is going on so the plan is I
am going to make a conscience effort to provide a weekly update even if
it is to say that nothing happened.

john

More information about the Apparmor-dev mailing list